[ale] Firewall+Game+DNAT= ???

Christopher R. Curzio ale at accipiter.org
Thu Aug 28 20:27:25 EDT 2003 

You have broken flags. Your rule should look like this:

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 2300:2400 -j DNAT
--to 192.168.0.3:2300-2400

I would also forward UDP, just in case.

-- 
Christopher R. Curzio     |  Quantum materiae materietur marmota monax
http://www.accipiter.org  |  si marmota monax materiam possit materiari?
:wq!



Thus Spake "Robert L. Harris" <Robert.L.Harris at rdlg.net>:
Thu, 28 Aug 2003 19:46:48 -0400


> 
> 
> I'm trying to play allegiance (looks interesting at
> http://www.alleg.net/)
> which appears to require the following rule:
> 
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination-port
> 2300:2400 -j DNAT --to-destination 192.168.0.3
> 
> I've put this in my firewall and I'm still getting this:
> 
> IPTables v4 Dropped: IN=eth0 OUT=eth1 SRC=67.11.229.37 DST=192.168.0.3
> LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=86 DF PROTO=TCP SPT=1678 DPT=2300
> WINDOW=16384 RES=0x00 SYN URGP=0
> 
> 
> The relevant portions of my firewall look like this:
> 
> -----------------------------------------------------------------------
> ---
> 
> #! /bin/bash
> #
> IPTABLES=/sbin/iptables
> IPADDR=24.241.190.29
> IFACE1=eth0
> 
> #
> # Lets flush em all
> #
> $IPTABLES -F
> #
> # Turn on forwarding
> #
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> ## Make sure NEW tcp connections are SYN packets
> iptables -A INPUT -i $IFACE1 -p tcp ! --syn -m state --state NEW -j DROP
> 
> 
> # Refuse spoofed packets pretending to be from your IP address.
> iptables -A INPUT  -i $IFACE1 -s $IPADDR -j DROP
> 
> # first chain is for allowing established and related connections 
> $IPTABLES -N first
> $IPTABLES -A first -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # this is a rule to let all my local traffic through 
> $IPTABLES -N local
> $IPTABLES -A local -m state --state NEW -i ! $IFACE1 -j ACCEPT
> 
> # I'm using logging and reject with my cleanup rule, these are both
> # optional modules
> $IPTABLES -N cleanup
> $IPTABLES -A cleanup -j LOG --log-level debug --log-prefix "IPTables v4
> Dropped: "$IPTABLES -A cleanup -j DROP
> 
> #
> # Lets initialize the chain
> #
> $IPTABLES -A INPUT -j first
> 
> #
> # Lets allow some good stuff
> #
> ################
> $IPTABLES -A INPUT -i $IFACE1 -p tcp --destination-port 2300:2400 -j
> ACCEPT$IPTABLES -t nat -A PREROUTING -i $IFACE1 -p tcp
> --destination-port 2300:2400 -j DNAT --to-destination 192.168.0.3
> 
> #
> # Finish the rules off
> #
> $IPTABLES -A INPUT -j local
> $IPTABLES -A INPUT -j cleanup
> $IPTABLES -P INPUT DROP
> 
> # FORWARD chain only allows local traffic
> $IPTABLES -A FORWARD -j first
> $IPTABLES -A FORWARD -j local
> $IPTABLES -A FORWARD -j cleanup
> $IPTABLES -P FORWARD DROP
> 
> # This is my nat rule for masquerading. notice the new table -t nat
> $IPTABLES -A POSTROUTING -t nat -o $IFACE1 -j MASQUERADE
> 
> -----------------------------------------------------------------------
> ---
> 
> 
> 
> anyone have any thoughts?  I'd like to try this game out, it looks
> really cool.
> 
> 
> 
> :wq!
> -----------------------------------------------------------------------
> ---- Robert L. Harris                     | GPG Key ID: E344DA3B
>                                          @ x-hkp://pgp.mit.edu
> DISCLAIMER:
>       These are MY OPINIONS ALONE.  I speak for no-one else.
> 
> Life is not a destination, it's a journey.
>   Microsoft produces 15 car pileups on the highway.
>     Don't stop traffic to stand and gawk at the tragedy.
> 
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list